Ivanti Endpoint Manager Mobile instances in cloud environments impacted by the authenticated bypass flaw, tracked as CVE-2025-4427, and the post-authentication remote code execution issue, tracked as CVE-2025-4428, have been subjected to ongoing attacks since Friday, following the initial targeting of on-premises implementations, The Register reports.Intrusions leveraging the open-source library-associated vulnerabilities have led to the deployment of multiple payloads, including the widely used Sliver remote access program, which guarantees persistence in targeted systems for further compromise, according to findings from Wiz Research. Additional analysis revealed unprotected Java Expression Language and Spring processing within the open-source libraries linked to both bugs, with Wiz researchers noting that the IP address leveraged in the intrusions had a TLS certificate that has been maintained since November. "This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances," said Wiz researchers. Such a development comes after both Ivanti EPMM defects were added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
Cloud Security, Vulnerability Management, Patch/Configuration Management
Attacks leveraging Ivanti EPMM flaws in clouds underway

(Adobe Stock)
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



